'Companies, show us your data leaks'
When companies suffer a data leak, they will often fulfill their legal duty to notify authorities. But they are more reluctant to share details of the leak with with their customers or even the media. That is a missed opportunity, says Bernold Nieuwesteeg van Erasmus School of Law. Data leaks are unavoidable like the flu, so organisations should suppress the reflex to keep them quiet when they happen. Instead, they should share the details of the leak. This allows researchers and investigators to analyse what cybersecurity investment are actually effective in the long run.
Nieuwesteeg is the director of the EUR-institute Centre for Law and Economics of Cyber Security. If you leave out "Centre for", you have the title of the thesis that got him a doctorate in June 2018. With threats from both state actors and commercial computer hackers, cyber security scores high on the government’s agenda. Policy papers are published constantly. Bernold Nieuwesteeg can read them with his eyes closed: 'The world is digitising rapidly. To maintain our top position we have to overcome threats. This document cites several experts.'
Fear of damaging reputation
With the General Data Protection Regulation (GDPR), companies are required to report each data breach at the Dutch Data Protection Authority (DPA). Losing a USB-stick, laptop theft or hacking are considered breaches. If the breach has negative effects for those involved (think of financial data, IDs or usernames and passwords), it also has to be reported to those people. But that's usually where it ends. Incidents are not announced out in the open, out of fear of damaging reputations. 'Understandable,' says Nieuwesteeg, 'Announcing that you got hacked makes you vulnerable. Yet there is a huge difference between what people fear and the actual consequences. Most people don't really care if a company got hacked or not. Research has shown that there are no long term negative effects.’
Compulsory Emotional training
Still, security officers react with panic after a breach. 'You have a job, kids, a mortgage and suddenly the private data of 100.000 people is out in the open. Next thing you know, they’re spending big time on security audits. But does that help? Penetration tests are snapshots. There are a thousand ways to hack an organisation. Closing one security hole doesn't do much for the other nine-hundred and nine ways. Tests like that give a false sense of security. Nieuwesteeg is in favour of behavioural change. 'Every security officer should be required to do emotional training, because people don't react rationally in situations like that.'
Not just the suckers
According to Nieuwesteeg we should get rid of the idea that only suckers get hacked. 'Research shows that organisations that are properly secured actually report more breaches. One indication of good security is encryption. People that bother to encrypt data also tend to make backups. If such a company should get hacked then nothing is lost. Besides, the alternative – which is concealing breaches – is not an option. Sooner or later things get out in the open and that's when you really have a problem. When internet security company FOXit was hacked, they where completely transparent. It takes courage, but in the end the public appreciates it.
Nieuwesteeg is al in favour for making breaches public. 'The knowledge we’re getting from the notification requirement isn't being utilised. The AP gathers the notifications, but stacks them in a digital drawer. It's merely a bureaucratic exercise, while it should be a chance to show vulnerabilities, analyse trends and see which security measures have an effect.
Is the problem of data breaches solvable, or should it – just like the flu – be accepted as a natural phenomenon? Nieuwesteeg: 'We should keep on reporting breaches. That way we can increase awareness and recognise trends. Investing in security is fine, but we should be critical of the return on investments. You can spend a euro only once, so you want to make sure it's done efficiently.'